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Abstract 

In 2006, Peris-Lopez et al. [l] [2j |3] initiated the design of ultra- 
lightweight RFID protocols -with the UMAP family of protocols- involv- 
ing only simple bitwise logical or arithmetic operations such as bitwise 
XOR, OR, AND, and addition. This combination of operations was re- 
vealed later to be insufficient for security. Then, Chien et al. proposed 
the SASI protocol [4] with the aim of offering better security, by adding 
the bitwise rotation to the set of supported operations. The SASI pro- 
tocol represented a milestone in the design of ultralightweight protocols, 
although certain attacks have been published against this scheme [5][6l[7]- 
In 2008, a new protocol, named Gossamer [8], was proposed that can be 
considered a further development of both the UMAP family and SASI. 
Although no attacks have been published against Gossamer, Lee et al. [9] 
have recently published an alternative scheme that is highly reminiscent of 
SASI. In this paper, we show that Lee et al.'s scheme fails short of many 
of its security objectives, being vulnerable to several important attacks 
like traceability, full disclosure, cloning and desynchronization. 
Keywords: RFID, Authentication, Ultralightweight protocols. Crypt- 
analysis 



1 Introduction 



In an RFID system, objects are labelled with a tag. Each tag contains a mi- 
crochip with a certain (generally limited) amount of computational and storage 
capabilities, and a coupling element. Such devices can be classified according to 
their memory type and power source. Another relevant parameter is tag price, 
which creates a broad distinction between high-cost and low-cost RFID tags. 
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The rule of thumb of gate cost says that every extra 1,000 gates increases chip 
price by 1 cent [TO] , 

In [1], Chien proposed a tag classification mainly based on which were the 
operations supported on-chip. High-cost tags are divided into two classes: "full- 
fledged" and "simple". Full-fledged tags support on-board conventional cryp- 
tography like symmetric encryption, cryptographic one-way functions and even 
public key cryptography. Simple tags can support random number generators 
and one-way hash functions. Likewise, there are two classes for low-cost RFID 
tags. "Lightweight" tags are those whose chip supports a random number gener- 
ation and simple functions like a Cyclic Redundancy Checksum (CRC), but not 
cryptographic hash function. "Ultralightweight" tags can only compute simple 
bitwise operations like XOR, AND, OR, etc. 

In this paper we focus in the latter category of ultralightweight tags. These 
tags represent the greatest challenge in terms of security, due to their expected 
wide deployment and, at the same time, extremely limited capabilities. 

2 Related Work 

In 2006, Peris et al. proposed a family of Ultralightweight Mutual Authen- 
tication Protocols (henceforth referred to as the UMAP family of protocols). 
Chronologically, M^AP [1] was the first proposal, followed by EMAP [5] and 
LMAP [3]. Although some vulnerabilities were discovered (active attacks [TTlfT^ 
and later on passive attacks [13l[T4]) which rendered those first proposals inse- 
cure, they were an interesting advance in the field of lightweight cryptography 
for low-cost RFID tags. 

In 2007, Hung-Yu Chien published a very interesting ultralightweight au- 
thentication protocol providing Strong Authentication and Strong Integrity (SASI) 
for very low-cost RFID tags [4]. The SASI protocol is highly reminiscent of 
the UMAP family, and more concretely, of the LMAP protocol. The main 
difference between these two protocols is the inclusion of the rotation in the 
set of operations supported by each tag. Indeed, the messages transmitted in 
to the insecure channel in UMAP family are computed by the composition of 
triangular-functions (e.g. addition modulo 2 or bitwise OR, etc.) -easily imple- 
mented in hardware- which finally results in another triangular- function |15| . A 
triangular-function has the property that output bits only depend of the left- 
most input bits, instead of all input bits. This undesirable characteristic (lack 
of diffusion) greatly facilitated the analysis of the messages transmitted in the 
UMAP family of protocols, and thus the work of the cryptanalyst. 

SASI represented a considerable advance towards the design of a secure ultra- 
lightweight protocol. However, certain important attacks have been published. 
First, Sun et al. proposed two desynchronization attacks. In [6], it was proposed 
a denial-of-service and traceability attack. Then, D'Arco et al. [7] proposed an- 
other desynchronization attack and an identity disclosure attack. In [Tn], Phan 
shows how a passive attacker can track tags, violating the location privacy of 
tags' holder. Finally, Hernandez-Castro et al. [17] recently proposed a full dis- 
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closure attack, but the authors assume modular rotation instead of hamming 
weight rotation. 

In 2008, the Gossamer protocol [S] was proposed as a further development 
upon both the UMAP family and the SASI protocol. So far, this scheme seems 
the most secure ultralightweight authentication protocol for low-cost RFID tags, 
as no attacks have been published. As alternative to Gossamer, Lee et al. re- 
cently published a new ultralightweight RFID Protocol with mutual authenti- 
cation (UMA-RFID in in the following) . The analysis of this recent protocol 
is the subject of this paper. 



3 Lee et al. Ultralightweight RFID Protocol 
with Mutual Authentication 



Tag, reader and back-end database are the three entities involved in the proto- 
col. Each tag has a static identifier (ID). A pseudonym -dynamic temporary 
identifier- {IDT) and a secret key {K) are shared between the tag and the 
reader. Indeed, the old and the potential new values of the pair {IDT, K} are 
both kept in the tag to hinder desynchronization attacks. The length of the 
variables is 128 bits. The channel between the tag and the reader is insecure 
due to the open nature of the radio channel. In contrast, a secure channel is 
assumed for the communications between the reader and the back-end database. 

Tags are limited to bitwise operations (i.e. bitwise XOR, OR and AND) 
and left bitwise rotation. Specifically, Rot{A, B) symbolizes that the vector A 
is subjected to a circular shift of n bit positions, where n is the hamming weight 
of vector B (i.e. n = h'w{B)). Readers are limited to the same set of operations 
and have the extra capability of random number generation. 

We described the messages exchanged in the protocol below (see also Figure 
[T]). First, the reader (TZ) and the tag (T) are mutually authenticated (authenti- 
cation phase). Then, the reader and the tag, respectively, update their private 
information {IDT, K} shared and kept synchronized between them (updating 
phase). 

1. Authentication Phase 

T ^ TZ : IDTi In the session i-th, the reader sends a request message to the tag. 
Then, the tag backscatters its pseudonym {IDTi) to provide anonymous 
identification. 

TL T : Ai,Bi Upon receiving IDTi, the reader looks up in the database the 
secret key associated to T. Then, it generates a new random value Ni and 
computes the authentication messages Ai and Bi: 



A, 



K, © Ni 

Rot{K„ Ki) © Rot{Ni, Ni) 



(1) 
(2) 



The reader sends {Ai, Bi{ to the tag. 
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Figure 1: Ultralightweight RFID Protocol with Mutual Authentication 

T ^ TZ : Ci After receiving {Ai, Bi}, the tag obtains from message Ai {N- = 
Ai © Ki) and computes its local version of Bi {B[ = Rot{Ki, Ki) © 
Rot{Ni, Ni)). If Bi = B'i, the reader is authenticated. Then, the tag 
computes the authentication message C^: 

Q = {K,\J Rot{N,,N,))®{{Rot{K,,K,)AN,) (3) 

Finally, the tag sends Ci to the reader. 

TZ: Upon receiving C,;, the reader checks its correctness to authenticate the tag. 

2. Updating Phase Upon the reader authentication (messages A^, Bi), the 
tag updates its secret information when message Ci is sent. The updating 
in the reader is conditioned to the valid authentication of the tag (message 
Ci). Specifically, the updating phase is defined by the equations below: 

/DT,+i = K,®Rot{N,,N^) (4) 
AVi = Rot{K,,Ki)®N, (5) 

4 Security Analysis 

In this section, we describe the security vulnerabilities of Lee et al. protocol. 
4.1 Traceability Attack 

Traceability is one of the most important security threats linked to RFID tech- 
nology. Location privacy is compromised when tags answer readers queries with 
a constant, static value, something that curiously happens in numerous commer- 
cial tags. An encrypted version of the static identifier may be used for privacy 
protection, but an attacker could still track the tag's holder as the tag keeps on 
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sending a constant value. So it seems necessary to anonymize tags' answers by 
the inclusion of nonces. However, the simple use of random numbers by itself 
does not guarantee that a protocol will be resistant to traceability attacks [TB] . 

The traceability problem has attracted a lot of research. In [12] , Juels and 
Weis give a formal definition of the untraceability model. The same definition, 
though with a style more similar to that used for security protocols, is described 
by Phan in his attack against the SASI protocol [16] . 

In RFID schemes, tags T and readers TZ interact in protocol sessions. In 
general terms, the adversary {A) controls the communications between all the 
participants and interacts passively or actively with them. Specifically, A can 
run the following queries: 

• Execute(7^, T, i) query. This models a passive attacker. A eavesdrops on 
the channel, and gets read access to the exchange of messages between TZ 
and T in session i of a genuine protocol execution. 

• Scnd(A', y, M, i) query. This models that the message M sends from X 
to y in session i is blocked or altered (e.g. flipping one bit), preventing 
its correct reception. 

• Tcst(i, To, Ti) query. This docs not model any ability of A, but it is 
necessary to define the untraceability test. When this query is invoked 
for session i, a random bit is generated h G {0, 1}. Then, the pseudonym 
IDTJ^ from the set {IDtJ° , IDtJ^) and corresponding to tags {%,%} 
is given to A. 

Upon definition of the adversary's abilities, the untraceability problem can 
be defined as a game Q divided into the following phases: 

Phase 1 (Learning): ^ can send Execute and Send queries. So, „4 eavesdrops 
messages -passive attack- passed over the channel and have the ability of 
blocking -active attack- certain messages. 

Phase 2 (Challenge): A chooses two fresh tags whose associated identifiers 
are IDq and IDi. Then he sends Test(i, Tq, 7i) query. As result, A is 
given a dynamic temporary identifier /Dlf' from the set {IDTJ" , IDT^^}, 
which depends on a chosen random bit b G {0, 1}. 

Phase 3 (Guessing) A finishes the game and outputs a bit d {d E {0, 1}) as 
its conjecture of the value of b. 

A^s success in winning Q is equivalent to the success of breaking the untrace- 
ability property offered by the protocol. So the advantage of ,4 in distinguishing 
whether the messages correspond to Tq or Tl , is defined as below: 

Ad«^^^(i,ri,r2) = \Pr[d = b]-^\ (6) 

where f is a security parameter (i.e. the bit length of the key shared by the 
tag and the reader) and ri and r2 arc the number of times A can run Execute 
and Send queries respectively. 
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Definition An RFID protocol in an RFID system (S= {Ri, Tq, 7i, ....}) in 
wliicii an adversary A can invoke {Execute(7^, T, i), Send(A', 3^, M,i), Test( i, 
To, Ti)} in a game Q, offers resistance against traceability if: 

Adv^''^{t,n,r2) <eit,n,r2) (7) 
e(.) being some negligible function. 

We will show how the UMA-RFID scheme does not guarantee privacy loca- 
tion, being possible to track tags. 

Theorem 4.1 The UMA-RFID protocol, on an RFID system (S= {R^, %, Ti, 
....}) in which an adversary A can invoke two ExecutefT?., T, i) queries, one 
SendfA", y, M,i) query, and, subsequently, one Testf' i, Tq, Ti) query in an 
untraceability game Q , is vulnerable to traceability attacks, since the advantage 
for an adversary to win Q is significant: Adv^^'^{t, 2,l) = 0.5>£(t,2,l). 

Proof Specifically, an adversary A performs the following steps: 

Phase 1 (Learning): A sends two {Execute(7^, Tq, i)Yl^n queries and one 

Send(To, 7^, Cj^j_i, query to %. A acquires the tuple {IDT^° , A'^° , B'^° , C^"} 
and {IDT^l^} where 

B^" = Rot{Kl\Kl^>)®Rot{N^o,N^«) (8) 
/DTJii = Kl"®Rot{N^\Nl") (9) 

Send(r, 7^, Cj^i, n+1) query frustrates the correct reception of message 
Cj^\i in session n+1, which avoids the updating of the secret key and 
the pseudonym in the reader. The tag is thus identified using the old pair 
{JDtJ° 1, ifj:;. J in the next session n + 2. 

Phase 2 (Challenge): A chooses two fresh tags whose associated identifiers 
are IDq and IDi. Then he sends a Test(7i + 2, Tq, Ti) query. As re- 
sult, A is given a dynamic temporary identifier IDT^^2 from the set 
{J£)T^2; ^-CTj^j}; which depends on a chosen random bit b € {0, 1}. 

Phase 3 (Guessing) A finishes Q and outputs a bit d {d E {0,1}) as its 
conjecture of the value b. In particular, we propose the following procedure 
to obtain value d: 

1. From Equation (8) and (9), the following constant value associated 
with To is obtained by the adversary: 

X = ® IDTJx^ = RotiK^" , J' ) ® K^o (10) 

2. A calculates the XOR between the value captured in the learning 
phase (Equation (8)) and the pseudonym presented in the challenge 
phase: 

(B^o^IDT^c,^ = B^«®IDT^l,=X if& = 

1 if 6=1 ^ ' 
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3. A utilizes the following simple decision rule: 



d-('^^^^ (12) 

So the use of random numbers does not prevent in this case the attacker from 
associating the tags's answers with its holder, with a 100% probability of success. 

I 

4.2 Full Disclosure, Cloning, and Desynchronization At- 
tacks 

The tag and the reader share a secret key. The main purpose of this key is 
the authentication of both entities. The key is combined with a random num- 
ber to hamper its acquisition by the attacker when passed over the insecure 
channel. The above idea is well conceived but the protocol abuses of the usage 
of Rot{Ki, Ki) and Rot{Ni, Ni). Indeed, this fact facilitates a sort of linear 
cryptanalysis of the scheme, despite of the combination of triangular and non- 
triangular functions. 

Theorem 4.2 In the UMA-RFID protocol, a passive attacker, after eavesdrop- 
ping two consecutive authentication sessions {n,n + 1} between an authentic 
tag (T ) and a genuine reader (TZ), can discover the secret key shared by these 
two entities by simply computing an XOR among some of the public messages 
transmitted over the radio channel: 

Kn+l = ^„ ® B„ © IDTn+1 (13) 

Proof We start describing the messages exchanged in sessions {n, n + 1}: 
Session n: {/DT„, i3„, C„} where 

A„ = i^„©iV„ (14) 
B„ = Rot{K,„K^)®Rot{N^,N^) (15) 

Session n + 1: {IDTn+i, ^„+i, S„+i, C„+i} where 

IDTn+l = Kn®Rot{Nn,Nn) (16) 

An+l = Kn+l®Nn+l (17) 

Bn+1 = Rot{Kn+l,Kn+l)®Rot{Nn+uN,,+ i) (18) 

Cn+1 = (Kn+lV Rot{Nn+l,Nn+l)) (19) 

® (Rot{Kn+l,Kn+l) A Nn+l) (20) 

The secret key of the tag in session n + 1 is described by the equation below: 

Kn+l^ RotiKn,Kn)(BNn (21) 
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Finally, the attacker can acquire the actual secret key (Kn+i) of the tag 
by computing the XOR between the public messages An, Bn and IDTn+i (see 
Equations (14), (15) and (16)): 

An © Bn ® IDT„ + i = 
= Kn ®Nn(B Rot{Kn,Kn) ® Rot{Nn, Nn) ®Kn® i?ot(7V„ , iV„) 
= {Kn ® Kn) ®Nn® Rot{Kn,Kn) ® {Rot{Nn,Nn) ® Rot{Nn, Nn)) 
= (0x0) ®Nn® Rot{Kn, Kn) ® {0x0) 

= Nn ® R0t{Kn, Kn) - i?oi(X„, Kn) © iV„ Kn+1 (22) 

I 

RFID tags are usually not designed to be tamper resistant, because this will 
significantly increase their price. An active attacker may tamper with the tag 
in order to read from or write to its memory in which secret values are stored. 
Low-cost RFID tags cannot offer protection to this sort of attacks but should 
be resistant, at least, to passive attacks. We show now how a passive attacker 
is able to clone a tag after revealing the whole secrets stored in the tag. but 
without requiring any physical manipulation of it. 

Theorem 4.3 In the UMA-RFID protocol, a passive attacker, after eavesdrop- 
ping two consecutive authentication sessions {n,n + l} between an authentic tag 
(T) and a genuine reader (TZ), can clone the tag by computing: 

IDTn+2 = Kn+l®Rot{Nn+l,Nn+l) (23) 
Kn+2 = Rot{Kn+l,Kn+l)®Nn+l (24) 

Proof From Theorem 2, an adversary can discover the actual secret key of 
the tag {Kn+i) after eavesdropping messages {/DT„, An, Bn, C„} exchanged in 
session n and the dynamic temporary identifier (IDTn+i) in session n+1. 

K,+ l ^An® Bn © IDTn+1 (25) 

Then, the adversary can obtain the random number associated to the session 
n + 1 by computing an XOR between the message An+i and the key Kn+i- 
Then, message B can be used to check its correctness. 

K+i = <+i©A„+i (26) 
Bn+i = Rot{K'^^„K:,^,)®Rot{N:,^„N:,+,) (27) 

Once the actual key {Kn+i) and the random number {Nn+i) linked to session 
n + 1 are known by the attacker, the new state can be computed by using these 
values: 

IDTn+2 = <+i©i?ot«+i,<+i) (28) 

Kn+2 = i?ot(A%;+i,<+i)©<+i (29) 

Finally, the attacker can copy the above values to the memory of a blank tag, 
which results in a cloning attack (having an undistinguishable copy of an au- 
thentic tag). I 
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Tags and readers have to remain synchronized to run the protocol success- 
fully. The authors take the extra precaution of storing the old and potential 
new values of the pair {IDT, K} to fight against desynchronization attacks, but 
in this case this well-known approach in the literature is not enough. Despite 
of this countermeasure, an attacker is able to desynchronize a tag and a reader 
exploiting Theorem 2. 

Theorem 4.4 In the UMA-RFID protocol, a passive attacker, after eavesdrop- 
ping two consecutive authentication sessions {n, n -I- 1} and performing a man- 
in-the-middle attack between an authentic tag (T ) and a genuine reader (TZ), 
can desynchronize these two entities by sending: 

A^+i = A'„+i®iV*+i (30) 
= Rot{K„+i,Kn+i)(BRot{N*^,,N*^^) (31) 

Cn+l = iKn+i\/ Rot{Nn+l,Nn+l))®iRot{Kn+l,Kn+l) ANn+l) (32) 

Proof Taking advantage of Theorem 2 any adversary, after eavesdropping mes- 
sages {IDTn, An, Bn,Cn} exchanged in session n and the dynamic temporary 
identifier (IDTn+i) of session n+1, gets the actual secret key of the tag {Kn+i). 

K+l =An® Bn e IDTn+1 (33) 

Then, the attacker starts the man-in-thc-middlc attack. Specifically, the 
attacker intercepts messages {^„_|-i,i?„+i} (see Equations (17) and (18)) and 
sends {^*_)_]^, linked to the random number N*_^-^_■. 

K+i = K+i®K+i (34) 
S^+i = i?ot«+i,<+i)ei?oi(iv,:+i,7v:+i) (35) 

Finally, the attacker intercepts the answer C^j^i of the tag, and computes 
the answer C'^^j^i to the original messages {An+i, Bn+i} sent by the genuine 
reader: 



TV' 

n- 



A 



n-l-l 



= Rot{K+„ K+i) © Rot{K_,„ <+i) 



(36) 
(37) 



C'n+i = «+iVi?ot«+i,iV;+i))e(i?oi«+i,<+i)AK+i) (38) 

After the mutual authentication between the tag and the reader, both enti- 
ties update their internal secret values: 



Tag 



Reader 



IDTN, 
K 



n+2 



K' 



<Rot{N*+„N*+,) 



n+2 



RotiK+„K+,)(SN* 



IDT',+^=K'n^,®Rot{K^„N'n 
/f;+2 = Rot{K^„K+,) © K+i 



n+ll 



So the adversary deceives the tag and the reader into thinking that the 
random number associated to the session n -I- 1 is N*_^_i or A^^-i-i respectively. 
As a consequence of this fact, the tag a the reader lose their synchronization 
after the completion of the updating phase. | 
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To further clarify the attacks previously described, Figures 2(a) and 2(b) 
illustrate the messages exchanged. 



As an easy alternatively to the last attack presented, an adversary can desyn- 
chronize tags and readers using the non-resistance of bitwise operations to active 
attacks ^U\. The adversary can reuse old values, transmitted in the channel, 
to compute new valid authentication messages. Specifically, an XOR opera- 
tion between the captured value and a constant value properly selected (e.g. 
Aj+i = Ai (B Oa::0005) is enough to achieve this objective. 

Theorem 4.5 In the UMA-RFID protocol, a passive attacker, after eavesdrop- 
ping an authentication session n between an authentic tag (T ) and a genuine 
reader (R-), can desynchronize these two entities by sending: A^+i = A^ © Ci, 
Bn+i — Bn®C2, where {Ci}^^i are any constant values whose hamming weight 
is exactly 2. 

Proof First, the reader eavesdrops the messages {IDTn,An,Bn,Cn} passed 
over the channel in session n where 

A„ = K^®N^ (39) 

S„ = Rot{Kn,Kn)®Rot{Nn,Nn) (40) 

After the mutual authentication, the tag and the reader update their secret 
values {IDTn+i, Kn+i}- Indeed the tag stores the old and the potential new 
values with the objective of preventing desynchronization attacks. However, the 
adversary may exploit this fact -simulating the incorrect reception of C message 
and using the old values in a new authentication- provoking a new updating in 
the tag but not in the reader. Specifically, the adversary follows the experiment 
described below: 

1. Initialization. The adversary randomly selects the Ci value, with 
the restriction that its hamming weigh is 2 (i.e. hw{Ci) = 2). 

2.0. Selection of the mask.] The adversary picks up a C2 value from 
the subset of a; e {0,1,. ..,2^} that satisfies hw{x) = 2, where L is the 
length of the variables used (i.e. n = 128 in Lee et al. protocol [9]). 

2.1 Authentication. The adversary computes and sends to the legiti- 
mate tag the authentication messages: 

An+l = An © Ci = Kn © 7V„ © Ci (41) 

Bn+1 = Bn®C2 = Rot{Kn,Kn)®Rot{Nn,Nn)®C2 (42) 

2.2 Check of C2.If the tag accepts {An+i, Bn+i} and replies C„+i to 
the adversary, it proves the success of the attack launched. Otherwise, the 
process is repeated from Step 2.0. 
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Table 1: Performance Comparison of Ultralightweight Authentication Protocols 





UMAP family 

Elllll 


SASI 

m 


UMA-RFID 

m 


Gossamer 

[H 


Resistance to Desynelironization Attaeks 


No 


No 


No 


Yes 


Resistance to Disclosure Attacks 


No 


No 


No 


Yes 


Privacy and Anonymity 


No 


No 


No 


Yes 


Mutual Auth. and Forward Security 


Yes 


Yes 


Yes 


Yes 


Total Messages for Mutual Auth. 


4-5L 


4L 


3L 


4L 


Memory Size on Tag 


6L 


7L 


5L 


7L 


Memory Size for each Tag on Database 


6L 


4L 


3L 


4L 


Operation Types on Tag 


e, V, A, + 


e, V, A, +, Rot 


A, V, ©, Rot 


e, +, Rot, 

MixBits 



3. Check of Ci. If Step 2 ({2.0 - 2.2}) completely fails, the process is 
repeated from Step 1. 

When messages {A„+i, are accepted by the genuine tag, the tag sends 

Cn+i and updates its secret values. However, the reader, which is not involved 
in the attack, keeps on storing its old values. So the reader and the tag lose 
their synchronized state and this situation is irreversible. 

The remaining question is to know how efhcient the attack is. Ci is restricted 
to having a hamming weigh of 2 in order for the hamming weigh of Nn and 
Nn ffi Ci to be unknown but have a good probability of being equal. As two bits 
are flipped in A^„, and Nn is a uniformly distributed random vector, the above 
condition is satisfied with a probability of 1/2. Finally, the adversary has to 
test with different values of C2. As the adversary does not know the hamming 
weight of Nn © Ci, he can not say how many bits Ci is rotated. However, he 
knows that the vector resulting from this rotation has a hamming weight of 
2, which is quite advantageous. Indeed, the average number of times that the 
adversary has to try is Cl.2 = (2) = (^f ) = 8128 <C 2^'^^. | 

Finally, a simple comparison of ultralightweight authentication protocols is 
shown in Table 1, where L designates the bit length of variables used. 

5 Conclusions 

In this paper, we present the cryptanalysis of Lee et al. protocol, which is 
one of the most recent RFID mutual authentication protocols in the area of 
ultralightweight cryptography. The scheme presents noteworthy weaknesses re- 
lated to most of the security properties initially required in its protocol design. 
Furthermore, the protocol is an excellent example as how triangular and non- 
triangular functions have to be combined to design secure ultralightweight pro- 
tocols, and also about their combined usage does not guarantee any security by 
itself. 
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